Announcing SSH Access through Cloudflare

We held our annual Cloudflare Retreat last week. Over 750 team members from nearly a dozen offices spent three days learning, bonding and some of them got to smash a VPN piñata on stage with a baseball bat. Yes, you read that right.

The latest feature added to Cloudflare Access let us celebrate the replacement of our clunky VPN with a faster, safer way to reach our internal applications. You can now place applications that require SSH connections, like your source control repository, behind Cloudflare Access. We’re excited to release that same feature so that your team can also destroy your own VPN (piñata not included).

How we smashed our VPN

We built Access to replace our corporate VPN. We started with browser-based applications, moved to CLI operations, and then began adding a growing list of single sign-on integrations. Our teammates added single sign-on support to the Cloudflare dashboard by combining Access and our serverless product, Workers. We improved the daily workflow of every team member each time we moved another application behind Access. However, SSH connections held us back. Whenever we needed to push code or review a pull request, we had to fall back to our cumbersome VPN.

While the VPN inconvenienced most users, our security team flagged disabling it as a potential risk. Once inside a private network, attackers can expose vulnerabilities and reach sensitive data. Our CSO set a company-wide goal to retire last decade’s model of network security - without compromising security while doing so. The Access team met with our security group and we set retreat week as the deadline for moving this category of applications behind Access, as part of a holistic effort to increase enterprise identity and access management. We agreed with the sense of urgency and got to work solving the SSH challenge.

We started by building on top of some of the strongest capabilities of other Cloudflare products. We relied on Argo Tunnel to secure the SSH connections. We accelerated the performance of those connections by leveraging Argo smart routing. We used Cloudflare’s command line tool, cloudflared, to establish the connection between your device and the server you need to reach. We were able to move applications behind Access and reach them over SSH by starting with the best of Cloudflare.

Our security team considered this cause to celebrate and set a new goal: finding a custom piñata in the shape of an actual VPN appliance. They were able to have one made in time for retreat and we invited team members on stage to swing away. It wasn’t until I watched my coworkers smash the representation that I realized just how frustrated they were with the VPN.

Today, we’re sharing that feature with your team. You don’t have to actually smash a VPN, but we think your coworkers and security team will be just as excited as ours were.

Protecting your server

To protect a server you need to reach over SSH, start by exposing that machine to the Cloudflare network with Argo Tunnel. Argo Tunnel connects your server to Cloudflare without the need to configure firewall ports or ACLs. Creating a tunnel ensures that Cloudflare evaluates all requests to your machine to deliver security features like our web application firewall and unmetered DDoS mitigation.

When you configure Argo Tunnel, you’ll assign a hostname to that server that can be reached over the internet through the Cloudflare network. Cloudflare Access can then control who is allowed to reach your server. With the hostname ready and a policy applied, you can start to use cloudflared and your identity provider to connect over SSH.

Connecting to your server over SSH

When you attempt to reach a web application behind Access, we instead redirect you to your identity provider. Once you login, we generate a JSON Web Token and store that token as a cookie in your browser. SSH connections require a slightly different flow for your end users, but one that is just as convenient.

First, you need to install cloudflared. cloudflared is a lightweight command line tool published by Cloudflare that will proxy traffic from your device to the server over SSH. You can remove the need for any unique commands by adding two lines to your SSH config file that will always use cloudflared to proxy traffic for a particular hostname.

Once set-up, you can attempt to reach the resource over SSH from your command line or code editor. cloudflared will launch a browser window and ask you to login with your identity provider. If you already have an active session with that provider in your browser, it will just display a Success screen. Either way, when you authenticate, Access will generate the token and transfer it to cloudflared which will store it on your device and include it on all subsequent requests.

What's next?

When we place a tool behind Access, we help every member of our team do their best work faster. We review pull requests more quickly and deliver more iterative feedback from any device. We add new details to our product documentation more often. Instead of waiting to batch work that requires the VPN, we can complete those tasks without slowing down our day.

Most importantly, Access also makes a team’s work more secure. We’ve been excited to partner with our own security team to build a solution that better protects what we build here at Cloudflare.

You can start protecting your applications that require SSH connections by using this guide here. If you host your own VPN smashing parties, please send us an invitation - we’ll do everything we can to attend (we’ll bring pizza).

With so many people at Cloudflare now working remotely, it's worth stepping back and looking at the systems we use to get work done and how we protect them. Over the years we've migrated from a traditional "put it behind the VPN!" company to a modern zero-trust architecture....

Cloudflare employs more than 1,200 people in 13 different offices and maintains a network that operates in 200 cities. To do that, we used to suffer through a traditional corporate VPN that backhauled traffic through a physical VPN appliance....